You are on page 1of 12

Your guide to the

Payment Card
Industry Data
Security Standard
Merchant Business Solutions

Version 5.0 (April 2011)

Contents Contents �������������������������������������������������������������������������������2 Introduction ��������������������������������������������������������������������������3 What are the 12 key requirements of PCIDSS?���������������������4 Protect your business�����������������������������������������������������������4 What is an Account Data Compromise (ACC)? ��������������������5 What are the potential impacts of an ADC? �������������������������5 Where do I start? ������������������������������������������������������������������5 What are my compliance requirements? �����������������������������5 How do I determine my validation requirements? ���������������6 What is the Self Assessment Questionnaire (SAQ)? ������������ 7 What is a Vulnerability Scan? �����������������������������������������������8 What is an on-site security assessment? �����������������������������8 What should I do if I’m ‘non-compliant’? ������������������������������9 The Prioritised Approach Tool ����������������������������������������������9 What are the requirements for Payment Applications? �������9 What should I do in the event of an Account Data Compromise? ���������������������������������������������� 10 What penalties may apply to my business for failure to meet the PCIDSS requirements? ���������������������������������������� 11 Contact Us �������������������������������������������������������������������������� 11 Additional Information ��������������������������������������������������������� 11 2 .

policies. procedures. The Payment Card Industry Data Security Standards (PCIDSS) is a set of comprehensive requirements for enhancing payment account data security and forms industry best practice for any entity that stores. processes and/or transmits cardholder account data on your behalf is compliant to the PCIDSS. however the scope of your assessment changes depending on what solution you use and how you operate your business. Criminals are using increasingly sophisticated techniques to obtain customer account information. software design and other critical protective measures.Introduction At Westpac we are committed to providing our merchants with every assistance in protecting their business from the growing threat of an Account Data Compromise (ADC). The PCIDSS consists of 6 core principles which are accompanied by 12 requirements. The PCIDSS applies to all merchants. These requirements can be viewed on the following page. As a merchant it is important that you understand these standards and implement controls to your business environment to avoid potential financial penalties. investigative costs and negative media attention associated with an ADC. network architecture. It is a multifaceted security standard that includes requirements for security management. processes and/or transmits cardholder data. This comprehensive standard is intended to help organisations proactively protect customer account data. therefore it is critical that merchants implement rigorous controls to minimise the risk of being the subject of an ADC. 3 . The PCIDSS was developed by the Payment Card Industry Security Standards Council (PCISSC) and has been formalised into the MasterCard Site Data Protection (SDP) and Visa Account Information Security (AIS) programs. It is also important that you ensure that any third party entity which stores.

Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3.What are the 12 key requirements of PCIDSS? The 12 key requirements are listed in the following table. Maintain a policy that addresses information security Protect your business Compliance to the PCIDSS greatly reduces the possibility of being the subject of an ADC and in turn protects your business reputation and ensures you retain customer confidence in your brand. Develop and maintain secure systems and applications Implement strong access control measures 7. Regularly test security systems and processes Maintain an information security policy 12. Install and maintain a firewall configuration to protect data 2. Restrict access to cardholder data by business need to know 8. 4 . Track and monitor all access to network resources and cardholder data 11. Encrypt transmission of cardholder data and sensitive information across open public networks Maintain a vulnerability management program 5. Restrict physical access to cardholder data Regularly monitor and test networks 10. Protect stored cardholder data 4. PCI Data Security Standard Build and maintain a secure network 1. Use and regularly update anti‑virus software 6. Assign a unique ID to each person with computer access 9.

More information about SAQs can also be found on page 7 of this brochure. Where do I start? The PCIDSS can be found on the PCISSC website It is recommended that you perform a gap analysis by completing the relevant Self Assessment Questionnaire (SAQ) and. Once a potential ADC has been reported a PCI forensic investigator must come onsite to determine the source of the compromise and quantify the amount of cardholder data that has been stolen. when applicable.What is an Account Data Compromise (ADC)? An ADC is when a person or group gain unauthorised access to cardholder data that is held within your business environment in either electronic or physical form. There have been. What are the potential impacts of an ADC? If you become the subject of an ADC you risk financial penalties. and continue to be. many examples of ADC events worldwide and they have been experienced by all types of business small and large. Both the SAQs and a list of ASVs can be found on the PCISSC website. What are my compliance requirements? Being compliant to the PCIDSS forms part of your merchant agreement. the suspension or termination of your merchant facility. engage an Approved Scanning Vendor (ASV) to perform a vulnerability scan. It can be identified in a number of ways however it is usually detected as a common point of purchase before cards are used fraudulently elsewhere. It is important to recognise that criminals do not target any particular type of business. they will. if there is an identified weakness and they can exploit it. however your validation requirements differ 5 . damage to your brand and reputation and having to undertake additional ongoing audit tasks.

000 transactions per annum 1.000 transactions per annum Level 2 More than 1. We reserve the right to reclassify your level at any time for any reason. The use of compliant third party entities also forms part of your merchant agreement.000. Quarterly Vulnerability Scan performed by an ASV 1. How do I determine my validation requirements? As MasterCard and Visa have different transaction levels which regulate the requirements.000. or in other material from the Card Schemes.000. the Westpac PCIDSS Levels will take precedence over MasterCard and Visa levels for our merchants. Annual on-site assessment completed by a QSA Level 3 More than 20. Annual SAQ 2. we have simplified the process by setting parameters for you based on existing merchant information.000 transactions but less than 6. At all times. Quarterly Vulnerability Scan performed by an ASV .000 total transactions per annum PCIDSS Level 6 2. You may notice that our validation requirements may differ slightly from those of MasterCard or Visa which you may view online. Westpac will review your transaction count annually and should we require you to validate compliance as a Level 1. Westpac PCI Levels: Number of Visa or MasterCard transactions processed by the business annually Validation Requirements Level 1 More than 6. 2 or 3 merchant we will advise you accordingly.000.depending on the number of transactions you process annually and the merchant solution you use.000 e-commerce transactions but less than 1.

for example stand‑alone terminal solutions and fully outsourced eCommerce solutions. SAQ Validation Type 1 2/3 Description SAQ Card-not-present (e-commerce or mail/telephone-order) merchants. You should complete the SAQ which is most appropriate to your business and if in doubt you should complete SAQ D. no electronic cardholder data storage B 7 .PCIDSS Level Level 4 Number of Visa or MasterCard transactions processed by the business annually Validation Requirements All other merchants Recommended SAQ and Vulnerability Scans (if applicable) What is the Self Assessment Questionnaire (SAQ)? The SAQ is a validation tool intended to assist merchants that are not required to undergo an on-site security assessment. There are a variety of different SAQ’s which cater for different merchant environments. The different SAQ’s are outlined in the table below. A Imprint-only merchants with no electronic cardholder data storage OR Stand-alone terminal merchants. This would never apply to face‑to‑face merchants. all cardholder data functions outsourced. The SAQ’s can be viewed and downloaded from the PCISSC website. in self-evaluating their compliance with the PCIDSS.

SAQ Validation Type Description SAQ 4 Merchants with POS systems connected to the Internet. hosts and applications for known vulnerabilities. D What is a Vulnerability Scan? A vulnerability scan ensures that your systems are protected from external threats such as unauthorised access. Scans are intended to be nonintrusive. hacking or malicious viruses. 8 . A QSA is accredited by the PCISSC annually to validate merchant compliance to the PCIDSS. What is an on-site security assessment? If you are required to complete an on-site assessment you will need to employ the services of a Qualified Security Assessor (QSA). Regular quarterly scans are necessary to ensure that your systems and applications continue to afford adequate levels of protection. A current list of Approved Scanning Vendors (ASV) can be located on the PCISSC website. As this is likely to become a recurring cost. and must be conducted by an Approved Scanning Vendor (ASV). A vulnerability scan would not ordinarily be required for a merchant using a stand-alone terminal. The scanning tools will test all of your network equipment. If your business requires an annual on-site assessment you may wish to include the PCIDSS review requirements within your normal annual audit to reduce costs. no electronic cardholder data storage C 5 All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ. A list of Qualified Security Assessors (QSA) can be viewed on the PCISSC website. we would recommend that you budget for the review as part of your annual expenditure.

If this is the case it is imperative that you develop a plan which outlines actions for each non-compliant element along with estimated timeframes for the completion of each task. remediation plan and validation of compliance. If you are a ‘non-compliant’ Level 1. and the timing for the onsite assessment. 9 . A list of compliant Payment Applications can be found on the PCISSC website. What should I do if I’m ‘non-compliant’? Once you have completed the SAQ you may discover that there are some deficiancies in your business environment that don’t meet the PCIDSS. The PA DSS was developed by the PCISSC to ensure that software vendors and others who develop payment applications that store.You must advise us of your proposed QSA. The Prioritised Approach Tool can be found on the PCISSC website. 2 or 3 merchant you are required to submit your remediation plan within the Prioritised Approach Tool every quarter. The Prioritised Approach Tool The Prioritised Approach Tool was developed by the PCISSC to assist ‘non-compliant’ merchants in prioritising their remediation work. process and/or transmits cardholder data allow the environment in which it is implemented to be compliant to the PCIDSS. By demonstrating progress towards compliance you give yourself the best possible chance of avoiding ‘non-compliance’ penalties. It has divided the PCIDSS requirements into six milestones which indentify which requirements need the most attention. What are the requirements for Payment Applications? If you implement any ‘off the shelf’ software applications you must ensure that they are compliant to the Payment Application Data Security Standards (PA DSS).

and – Be on “high” alert and monitor all systems with cardholder data and transaction information. It is a requirement of the Card Schemes that a PCI Forensic Investigator (PFI) investigate any breaches affecting our merchants. – Do not turn off the compromised associated hardware machines.Any payment application which is developed in house or heavily customised will be encapsulated in the scope of either the merchant’s or the service provider’s PCIDSS requirements and does not need to be compliant to the PA 10 . isolate compromised systems from the network (i.e. do not log on as ROOT). There are serious consequences for failing to co-operate in the investigation of any security that you suspect that an ADC event has occurred. Within the first 24 hours take action to prevent further loss of data by conducting a thorough investigation of the suspected or confirmed loss or theft of cardholder data and transaction information. and any third party involved in assisting your business with processing transactions. Instead. What should I do in the event of an Account Data Compromise? Immediately notify Westpac via your Relationship Manager. or through our eMerchant Support area (emerchantsupport@ westpac. do not log on at all to the machine and change passwords. We will request that you. unplug cable).e. – Preserve logs and electronic evidence. provide assistance and access to us for the term of the investigation. – Keep a record of all actions taken. – If using a wireless network. change the SSID on the AP and other machines that may be using this connection with the exception of any systems believed to be compromised. To preserve evidence and facilitate the investigation: – Do not access or alter compromised systems (i.

A number of factors are considered by the Card Schemes in the assessment of financial penalties including.pcisecuritystandards. In the event that your business experiences an ADC event you may be liable for financial penalties which may be in the hundreds of thousands of dollars.html PCISSC: https://www.000 for Level 3 Merchants for the first quarter.000 for Level 1 and 2 Merchants and USD $ Additional Information Westpac: Fines have the potential to double every subsequent quarter that you remain ‘non-compliant’. but not limited 11 .What penalties may apply to my business for failure to meet the PCIDSS requirements? ●● ●● If your business is assessed by the Card Schemes as being ‘non-compliant’ to the PCIDSS you are liable to financial MasterCard: http://www. the presence of sensitive authentication data. the number of accounts which need to be monitored by the issuer and the Merchant’s level of compliance to the PCIDSS.westpac. Contact Us If you have any questions in relation to PCIDSS please contact us by via email at business-banking/merchant-accounts/read-up-on/ card-fraud-prevention/ Visa: the number of compromised accounts. ‘Non-compliance’ is assessed at the discretion of the respective Card Schemes and start at USD $25.

Information is current as at April 2011. © 2011 Westpac Banking Corporation ABN 33 007 457 141. 12 MBB018 (04/11) 210997 .